File name:

XwormRAT V3.1.7.rar

Full analysis: https://app.any.run/tasks/613b8cf9-a685-43ad-8619-523d754ab1b2
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: August 24, 2024, 13:26:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
telegram
xworm
xor-url
generic
netreactor
crypto-regex
ip-check
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AAFBE273C8423746DAACCBA0D724FD0B

SHA1:

560E51EE7AE9DBCA88E4FD970A2BB1C065B58502

SHA256:

9F6536A94D20CEE198C4159E3FC677460532929B12DECD85D8E2EB51B4A515DF

SSDEEP:

98304:o0rHJSdDMXWcHi8YSotAMN81YBD0guShQOHpcR4gttOzreSGA0uHHrzMJ8ny1NQK:PIJossTsiRPd7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • XClient.exe (PID: 964)

    • Changes the autorun value in the registry

      • XClient.exe (PID: 964)

    • Create files in the Startup directory

      • XClient.exe (PID: 964)

    • XWORM has been detected (YARA)

      • XClient.exe (PID: 964)

    • XORed URL has been found (YARA)

      • XWorm.exe (PID: 6176)
      • XWorm.exe (PID: 6000)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6640)
      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)

    • Executable content was dropped or overwritten

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)

    • Reads security settings of Internet Explorer

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)

    • Reads the date of Windows installation

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 6376)
      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2256)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • XClient.exe (PID: 964)

    • There is functionality for capture public ip (YARA)

      • XWorm.exe (PID: 6176)

    • The process executes via Task Scheduler

      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)

    • The process checks if it is being run in the virtual environment

      • XWorm.exe (PID: 6176)

    • Found regular expressions for crypto-addresses (YARA)

      • XWorm.exe (PID: 6176)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6924)

    • Manual execution by a user

      • WinRAR.exe (PID: 6924)
      • cmd.exe (PID: 6540)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)

    • Checks supported languages

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • XWorm.exe (PID: 6176)
      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)
      • XClient.exe (PID: 420)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)
      • XClient.exe (PID: 6768)
      • XWorm.exe (PID: 6000)
      • XWorm.exe (PID: 1084)

    • Reads the computer name

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • XWorm.exe (PID: 6176)
      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)
      • XClient.exe (PID: 420)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)
      • XWorm.exe (PID: 6000)
      • XClient.exe (PID: 6768)
      • XWorm.exe (PID: 1084)

    • Creates files or folders in the user directory

      • Xworm.exe (PID: 6008)
      • XWorm.exe (PID: 6176)
      • XClient.exe (PID: 964)

    • Reads the machine GUID from the registry

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • XWorm.exe (PID: 6176)
      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)
      • XClient.exe (PID: 420)
      • XWorm.exe (PID: 6000)
      • XClient.exe (PID: 6768)
      • XWorm.exe (PID: 1084)

    • Process checks computer location settings

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)

    • Attempting to use instant messaging service

      • XClient.exe (PID: 964)
      • svchost.exe (PID: 2256)

    • .NET Reactor protector has been detected

      • XWorm.exe (PID: 6176)
      • XWorm.exe (PID: 6000)

    • Reads Environment values

      • XClient.exe (PID: 964)

    • Disables trace logs

      • XClient.exe (PID: 964)

    • Checks proxy server information

      • XClient.exe (PID: 964)

    • Reads the software policy settings

      • XClient.exe (PID: 964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(964) XClient.exe
C2Viiper1337-29699.portmap.host:29699
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
Mutex0J5prv3fehnur4Jz

xor-url

(PID) Process(6176) XWorm.exe
Decrypted-URLs (8)http://ip-api.com/csv/?fields=status,query#
http://www.example.com/File.exe!
http://www.example.com/File.exe)
http://www.example.com/XClient.exe*
https://pastebin.com/raw/H3wFXmEi+
https://t.me/XCoderGroup)
https://t.me/XCoderTools+
https://www.google.com/maps/place/$
(PID) Process(6000) XWorm.exe
Decrypted-URLs (8)http://ip-api.com/csv/?fields=status,query#
http://www.example.com/File.exe!
http://www.example.com/File.exe)
http://www.example.com/XClient.exe*
https://pastebin.com/raw/H3wFXmEi+
https://t.me/XCoderGroup)
https://t.me/XCoderTools+
https://www.google.com/maps/place/$
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
19
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe winrar.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs xworm.exe #XWORM xclient.exe #XOR-URL xworm.exe schtasks.exe no specs conhost.exe no specs svchost.exe xclient.exe no specs xclient.exe no specs xworm.exe no specs xclient.exe no specs #XOR-URL xworm.exe no specs xworm.exe no specs xclient.exe no specs xworm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Xworm.exe" C:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Xworm.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xwormrat v3.1.7\xwormrat v3.1.7\xworm v3.1.7z\src\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
420"C:\Users\admin\AppData\Roaming\XClient.exe" C:\Users\admin\AppData\Roaming\XClient.exeXworm.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
964"C:\Users\admin\AppData\Roaming\XClient.exe" C:\Users\admin\AppData\Roaming\XClient.exe
Xworm.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(964) XClient.exe
C2Viiper1337-29699.portmap.host:29699
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
Mutex0J5prv3fehnur4Jz
1084"C:\Users\admin\AppData\Roaming\XWorm.exe" C:\Users\admin\AppData\Roaming\XWorm.exeXworm.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6000"C:\Users\admin\AppData\Roaming\XWorm.exe" C:\Users\admin\AppData\Roaming\XWorm.exe
Xworm.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
xor-url
(PID) Process(6000) XWorm.exe
Decrypted-URLs (8)http://ip-api.com/csv/?fields=status,query#
http://www.example.com/File.exe!
http://www.example.com/File.exe)
http://www.example.com/XClient.exe*
https://pastebin.com/raw/H3wFXmEi+
https://t.me/XCoderGroup)
https://t.me/XCoderTools+
https://www.google.com/maps/place/$
6008Xworm.exe C:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Xworm.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xwormrat v3.1.7\xwormrat v3.1.7\xworm v3.1.7z\src\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6176"C:\Users\admin\AppData\Roaming\XWorm.exe" C:\Users\admin\AppData\Roaming\XWorm.exe
Xworm.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
xor-url
(PID) Process(6176) XWorm.exe
Decrypted-URLs (8)http://ip-api.com/csv/?fields=status,query#
http://www.example.com/File.exe!
http://www.example.com/File.exe)
http://www.example.com/XClient.exe*
https://pastebin.com/raw/H3wFXmEi+
https://t.me/XCoderGroup)
https://t.me/XCoderTools+
https://www.google.com/maps/place/$
6376"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Public\XClient.exe"C:\Windows\System32\schtasks.exeXClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 000
Read events
22 923
Write events
77
Delete events
0

Modification events

(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\XwormRAT V3.1.7.rar
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
10
Suspicious files
3
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\NAudio.dllexecutable
MD5:3B87D1363A45CE9368E9BAEC32C69466
SHA256:81B3F1DC3F1EAC9762B8A292751A44B64B87D0D4C3982DEBFDD2621012186451
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\GeoIP.datbinary
MD5:8EF41798DF108CE9BD41382C9721B1C9
SHA256:BC07FF22D4EE0B6FAFCC12482ECF2981C172A672194C647CEDF9B4D215AD9740
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\IconExtractor.dllexecutable
MD5:640D8FFA779C6DD5252A262E440C66C0
SHA256:440912D85D2F98BB4F508AB82847067C18E1E15BE0D8ECDCFF0CC19327527FC2
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\GMap.NET.Core.dllexecutable
MD5:819352EA9E832D24FC4CEBB2757A462B
SHA256:58C755FCFC65CDDEA561023D736E8991F0AD69DA5E1378DEA59E98C5DB901B86
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\GMap.NET.WindowsForms.dllexecutable
MD5:32A8742009FFDFD68B46FE8FD4794386
SHA256:741E1A8F05863856A25D101BD35BF97CBA0B637F0C04ECB432C1D85A78EF1365
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Readme.txttext
MD5:85122AD50370F9A829B6602384B1B644
SHA256:444CBC7B57B4A6198EE1474FD9623E1AFCB8C7A0B180F05E961A822F4365499B
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\SimpleObfuscator.dllexecutable
MD5:9043D712208178C33BA8E942834CE457
SHA256:B7A6EEA19188B987DAD97B32D774107E9A1BEB4F461A654A00197D73F7FAD54C
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Xworm.exeexecutable
MD5:D917F6CBA4D594FE69C6878CE610E43D
SHA256:BA4B36C95D9549546BBBEA35B951BC9AFD085E18D74AD04D93DF924B6BCBFAA7
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\Start.battext
MD5:3B263F65DAEAC34F1F23755ED4C94F5D
SHA256:DB2C285C77534AE0EDA2911FDA6786D49506D11C74C37C15A814D4810BFDF1A6
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\FastColoredTextBox.dllexecutable
MD5:B746707265772B362C0BA18D8D630061
SHA256:3701B19CCDAC79B880B197756A972027E2AC609EBED36753BD989367EA4EF519
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
32
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6152
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5116
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4296
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6152
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6152
SIHClient.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6152
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
api.telegram.org
  • 149.154.167.220
shared
Viiper1337-29699.portmap.host
malicious
login.live.com
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
964
XClient.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
964
XClient.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
2256
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
2256
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
2256
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
2256
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
Process
Message
XWorm.exe
The type initializer for 'XWorm.Messages' threw an exception.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XwormRAT V3.1.7.rar